SNMP with sflowtrend and sflow-rt

121 views
Skip to first unread message

Vlad Kratsberg

unread,
Jan 21, 2021, 6:34:19 PM1/21/21
to sFlow-RT
Hello,

We are testing SFLOWTREND and SFLOW-RT and having issues with enabling SNMP to get interface and hostname friendly names.  None of the apps are doing the polling, I verified with tcpdump and checked firewall flow sessions.

Slowtrend indicates that it timed out but it never actually tried to poll.

Here is the Dockerfile that I use to build sflow-rt container with additonal apps.  ASN and Country resolutions work, however SNMP doesn't.  What am i doing wrong ? 


===========================
FROM sflow/sflow-rt:latest

ENV RTAPP="-Ddns.servers=resolv.conf -Dgeo.country=resources/config/GeoLite2-Country.mmdb -Dgeo.asn=resources/config/GeoLite2-ASN.mmdb -Dsnmp.ifname=yes -Dsnmp.version=3 -Dsnmp.community=squarespace -Dsnmp.user=observium -Dsnmp.authprotocol=sha -Dsnmp.authpasswd=$SNMP_PASS -Dsnmp.privprotocol=aes123 -Dsnmp.privpasswd=$SNMP_PASS"

RUN /sflow-rt/get-app.sh sflow-rt browse-metrics && /sflow-rt/get-app.sh sflow-rt browse-flows && /sflow-rt/get-app.sh sflow-rt prometheus && /sflow-rt/get-app.sh sflow-rt flow-trend && /sflow-rt/get-app.sh sflow-rt fabric-view && /sflow-rt/get-app.sh sflow-rt top-flows
========================================

What am i doing wrong ? 

Screen Shot 2021-01-15 at 5.29.29 PM.png

Peter Phaal

unread,
Jan 21, 2021, 6:50:16 PM1/21/21
to sFlow-RT
The sFlow-RT Dockerfile has a misconfiguration. -Dsnmp.privprotocol=aes123 should probably be -Dsnmp.privprotocol=aes128.

sFlow-RT retrieves ifName sysName information based on the IP address in the sFlow agent field. Have you confirmed that the sFlow agent is reachable from the sFlow collector? You can find the sFlow agent addresses by querying sFlow-RT, http://localhost:8008/agents/json

Vlad Kratsberg

unread,
Jan 22, 2021, 1:00:45 AM1/22/21
to sFlow-RT
Hi Peter,

Thanks for reply and spotting the typo.  I updated  Dockerfile  -Dsnmp.privprotocol=aes128 and checked that sflow collector can reach sflow agent.  I don't see snmp  request from sFlow collector.  Not sure where else to check.

Peter Phaal

unread,
Jan 22, 2021, 1:17:13 AM1/22/21
to sFlow-RT
Did you check the agent address? With sFlow, the agent address is a field in the data, not the source address of the UDP packet. If the address is bad (e.g. 127.0.0.1) then the SNMP request wouldn't be sent on the network.

Vlad Kratsberg

unread,
Jan 22, 2021, 2:08:17 AM1/22/21
to Peter Phaal, sFlow-RT
Yes, I specifically configured sFlow Agent on network device with a reachable ip.  
Screen Shot 2021-01-22 at 2.05.35 AM.png
 

--
You received this message because you are subscribed to a topic in the Google Groups "sFlow-RT" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sflow-rt/QuxzzYXKUxk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sflow-rt+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sflow-rt/dc34e5e4-5a6b-4e25-9237-01dea968c722n%40googlegroups.com.

Vlad Kratsberg

unread,
Jan 22, 2021, 9:09:18 AM1/22/21
to Sonia Panchen, Peter Phaal, sFlow-RT
Hello Sonia,

10.192.101.10/10.192.1.101 is a different device.  I understand what you are saying and wouldn't even reach out if I saw get-request coming from sFlow-RT or sFlowTrend.  I am doing a port mirror and tcpdump matching the source-ip of the collectors, however I don't see any snmp packet sent from either sFlow-RT nor sFlowTrend.  Below are new sFlowTrend screenshots.

Screen Shot 2021-01-22 at 8.56.49 AM.png

Screen Shot 2021-01-22 at 8.57.15 AM.png

On Fri, Jan 22, 2021 at 5:19 AM Sonia Panchen <span...@gmail.com> wrote:
Looking at the original sFlowTrend screenshot, the agent in question has an sFlow agent address of 10.192.101.10 and you have configured an SNMP IP address of 10.192.1.101.
The details for your device show 10.192.1.115 and am sFlow datagram source address of 10.192.72.156. So the addresses that you are showing for the device do not match those shown in sFlowTrend.Is this the correct device?

The sFlow datagram source address for the device is not necessarily the same as the sFlow agent address. The sFlow agent address is a field inside the sFlow datagram and must uniquely identify the switch. If this address is not reachable from sFlowTrend, you can configure sFlowTrend, to use an IP address that is reachable and responds to SNMP (SNMP IP address).  See https://inmon.com/products/sFlowTrend/help/html/configuration.agents.html

In addition, The screenshot for sFlowTrend reports an SNMP error of “Timed out”. The troubleshooting in the help https://inmon.com/products/sFlowTrend/help/html/troubleshooting.html#troubleshooting.troubleshooting.no-snmp indicates that this could be because the SNMP settings are incorrect or there are firewalls in the network or on the host blocking SNMP. Are the SNMP v3 settings you have configured correct and is the host you are running sFlowTrend on blocking any traffic?

On 22 Jan 2021, at 07:08, Vlad Kratsberg <vkrat...@gmail.com> wrote:

Yes, I specifically configured sFlow Agent on network device with a reachable ip.  
You received this message because you are subscribed to the Google Groups "sFlow-RT" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sflow-rt+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sflow-rt/CAA9sD4uE8ytF47npgjkDx4QNSW7%2BTEU%3DBGBi9cbWj4SpBDOYjw%40mail.gmail.com.

Vlad Kratsberg

unread,
Jan 22, 2021, 9:28:00 AM1/22/21
to Sonia Panchen, Peter Phaal, sFlow-RT
I will try reconfiguring my device to SNMPv2 to see if it changes anything.

Sent from my iPhone

On Jan 22, 2021, at 9:09 AM, Vlad Kratsberg <vkrat...@gmail.com> wrote:


Hello Sonia,

10.192.101.10/10.192.1.101 is a different device.  I understand what you are saying and wouldn't even reach out if I saw get-request coming from sFlow-RT or sFlowTrend.  I am doing a port mirror and tcpdump matching the source-ip of the collectors, however I don't see any snmp packet sent from either sFlow-RT nor sFlowTrend.  Below are new sFlowTrend screenshots.

<Screen Shot 2021-01-22 at 8.56.49 AM.png>

Vlad Kratsberg

unread,
Jan 22, 2021, 11:12:00 AM1/22/21
to Sonia Panchen, Peter Phaal, sFlow-RT
Not exactly, I am looking at the source device ( sFlowRT and sFlowTrend) to see they sent a snmp get-request packet with tcpdump and neither sFlowRT or sFlowTrend send snmp packet to the end host.  That is why I want to implement SNMPv2 to see if it makes any difference.  Otherwise, I don't know where else to look to see why SNMP is not initiated by sFlow collectors.

Thank you

On Fri, Jan 22, 2021 at 10:55 AM Sonia Panchen <span...@gmail.com> wrote:
It sounds as if you are looking at the device end to see if any SNMP from sFlowTrend is received. Have you checked on the sFlowTrend system that SNMP is sent (using tcpdump or Wireshark for example)?

The SNMP error “Timed out” shown in sFlowTrend is normally a result of incorrect SNMP settings or a host (or network firewall). Since you are not seeing anything on the device end, have you also checked to see whether there is a route from the sFlowTrend system to the device for SNMP?

Sonia Panchen

unread,
Jan 22, 2021, 1:31:52 PM1/22/21
to Vlad Kratsberg, Peter Phaal, sFlow-RT
Looking at the original sFlowTrend screenshot, the agent in question has an sFlow agent address of 10.192.101.10 and you have configured an SNMP IP address of 10.192.1.101.
The details for your device show 10.192.1.115 and am sFlow datagram source address of 10.192.72.156. So the addresses that you are showing for the device do not match those shown in sFlowTrend.Is this the correct device?

The sFlow datagram source address for the device is not necessarily the same as the sFlow agent address. The sFlow agent address is a field inside the sFlow datagram and must uniquely identify the switch. If this address is not reachable from sFlowTrend, you can configure sFlowTrend, to use an IP address that is reachable and responds to SNMP (SNMP IP address).  See https://inmon.com/products/sFlowTrend/help/html/configuration.agents.html

In addition, The screenshot for sFlowTrend reports an SNMP error of “Timed out”. The troubleshooting in the help https://inmon.com/products/sFlowTrend/help/html/troubleshooting.html#troubleshooting.troubleshooting.no-snmp indicates that this could be because the SNMP settings are incorrect or there are firewalls in the network or on the host blocking SNMP. Are the SNMP v3 settings you have configured correct and is the host you are running sFlowTrend on blocking any traffic?
On 22 Jan 2021, at 07:08, Vlad Kratsberg <vkrat...@gmail.com> wrote:

Yes, I specifically configured sFlow Agent on network device with a reachable ip.  
You received this message because you are subscribed to the Google Groups "sFlow-RT" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sflow-rt+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sflow-rt/CAA9sD4uE8ytF47npgjkDx4QNSW7%2BTEU%3DBGBi9cbWj4SpBDOYjw%40mail.gmail.com.

Sonia Panchen

unread,
Jan 22, 2021, 1:31:52 PM1/22/21
to Vlad Kratsberg, Peter Phaal, sFlow-RT
When sFlowTrend reports an SNMP error of “Timed out” this indicates that it has tried to send an SNMP request. I suggest that you use tcpdump on the system to capture a trace of the SNMP. I suggest that you start the capture, then disable and reenable the device in sFlowTrend.

Sonia Panchen

unread,
Jan 22, 2021, 1:31:52 PM1/22/21
to Vlad Kratsberg, Peter Phaal, sFlow-RT
It sounds as if you are looking at the device end to see if any SNMP from sFlowTrend is received. Have you checked on the sFlowTrend system that SNMP is sent (using tcpdump or Wireshark for example)?

The SNMP error “Timed out” shown in sFlowTrend is normally a result of incorrect SNMP settings or a host (or network firewall). Since you are not seeing anything on the device end, have you also checked to see whether there is a route from the sFlowTrend system to the device for SNMP?
On 22 Jan 2021, at 14:27, Vlad Kratsberg <vkrat...@gmail.com> wrote:

Vlad Kratsberg

unread,
Jan 22, 2021, 4:27:19 PM1/22/21
to Sonia Panchen, Peter Phaal, sFlow-RT
Hi Sonia, 

You were right.  When i disabled and reenabled devices in SNMP, i saw get requests.  I will take it from here with sFlowTrend SNMP.  Is there a similar mechanism in sFlow-rt to trigger snmp poll so i could capture it ?


root@nms001]  # tcpdump -i em2 host 10.197.253.82 and udp port 161
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em2, link-type EN10MB (Ethernet), capture size 262144 bytes
21:21:55.418190 IP 10.197.253.82.58064 > nj-leaf-sw015.drt.ewr.prod.squarespace.net.snmp:  F=r U="" E= C="" GetRequest(11)
21:21:55.418674 IP 10.197.253.82.47349 > nj-leaf-sw010-mgt.drt.ewr.prod.squarespace.net.snmp:  F=r U="" E= C="" GetRequest(11)
21:21:55.418680 IP 10.197.253.82.44812 > nj-leaf-sw015-mgt.drt.ewr.prod.squarespace.net.snmp:  F=r U="" E= C="" GetRequest(11)
21:21:55.418995 IP 10.197.253.82.41818 > nj-leaf-sw001.drt.ewr.prod.squarespace.net.snmp:  F=r U="" E= C="" GetRequest(11)
21:21:55.920295 IP 10.197.253.82.58064 > nj-leaf-sw015.drt.ewr.prod.squarespace.net.snmp:  F=r U="" E= C="" GetRequest(11)
21:21:55.920670 IP 10.197.253.82.41818 > nj-leaf-sw001.drt.ewr.prod.squarespace.net.snmp:  F=r U="" E= C="" GetRequest(11)
21:21:55.920782 IP 10.197.253.82.44812 > nj-leaf-sw015-mgt.drt.ewr.prod.squarespace.net.snmp:  F=r U="" E= C="" GetRequest(11)
21:21:55.920794 IP 10.197.253.82.47349 > nj-leaf-sw010-mgt.drt.ewr.prod.squarespace.net.snmp:  F=r U="" E= C="" GetRequest(11)
21:21:56.419759 IP 10.197.253.82.58064 > nj-leaf-sw015.drt.ewr.prod.squarespace.net.snmp:  F=r U="" E= C="" GetRequest(11)
21:21:56.420820 IP 10.197.253.82.41818 > nj-leaf-sw001.drt.ewr.prod.squarespace.net.snmp:  F=r U="" E= C="" GetRequest(11)
21:21:56.421009 IP 10.197.253.82.44812 > nj-leaf-sw015-mgt.drt.ewr.prod.squarespace.net.snmp:  F=r U="" E= C="" GetRequest(11)
21:21:56.421010 IP 10.197.253.82.47349 > nj-leaf-sw010-mgt.drt.ewr.prod.squarespace.net.snmp:  F=r U="" E= C="" GetRequest(11)

Thank you

Peter Phaal

unread,
Jan 22, 2021, 4:57:43 PM1/22/21
to sFlow-RT
sFlow-RT makes very few SNMP requests. It will only make a request for the sysName and ifName associated with an interface that it sees in an sFlow counter sample. If the SNMP request fails, it will be retried 10 minutes later. If the request succeeds, the result is retained for 24 hours before being refreshed.

Have you looked at the sFlow-RT logging output? Are there any SNMP related messages?

Vlad Kratsberg

unread,
Jan 22, 2021, 5:30:50 PM1/22/21
to Peter Phaal, sFlow-RT
Hi Peter,

I see the following message in docker logs:

2021-01-22T00:35:21Z WARNING: SNMP illegal argument USM passphrases must be at least 8 bytes long (RFC3414 §11.2)

Vlad Kratsberg

unread,
Jan 22, 2021, 5:35:21 PM1/22/21
to Peter Phaal, sFlow-RT
Ok i figured it out, i was passing the wrong env variable to docker container.

Thank you for your responses and helping to troubleshoot it.

Reply all
Reply to author
Forward
0 new messages